Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL errors when connecting proxy #151

Closed
awwithro opened this issue Apr 29, 2024 · 10 comments
Closed

OpenSSL errors when connecting proxy #151

awwithro opened this issue Apr 29, 2024 · 10 comments
Labels
bug Something isn't working

Comments

@awwithro
Copy link

Describe the bug

The proxy throws a SSL handshake error when connecting

To Reproduce

docker run --rm -it --entrypoint=/root/bin/localproxy --network=host public.ecr.aws/aws-iot-securetunneling-localproxy/ubuntu-bin:arm64 --region us-west-2 -s 5555 -t <my_token>

results in

[2024-04-29 20:56:38.196943] (0x0000ffff9a32d040) [warning] Found access token supplied via CLI arg. Consider using environment variable AWSIOT_TUNNEL_ACCESS_TOKEN instead
[2024-04-29 20:56:38.197841] (0x0000ffff9a32d040) [info] Starting proxy in source mode
[2024-04-29 20:56:38.206762] (0x0000ffff9a32d040) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-04-29 20:56:38.513235] (0x0000ffff9a32d040) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)
[2024-04-29 20:56:41.019975] (0x0000ffff9a32d040) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-04-29 20:56:41.108651] (0x0000ffff9a32d040) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)
[2024-04-29 20:56:43.618218] (0x0000ffff9a32d040) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-04-29 20:56:43.714607] (0x0000ffff9a32d040) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)

Expected behavior

I would expect this to connect successfully

Also, the entrypoint is pointing to /root/bin instead of the proxy

Actual behavior

The above error is thrown repeatedly

Environment (please complete the following information):

  • OS: OSX 14.4.1 running Docker Desktop 4.29.0
  • Architecture: arm64 / M3
  • Localproxy commit: public.ecr.aws/aws-iot-securetunneling-localproxy/ubuntu-bin:arm64
@awwithro awwithro added the bug Something isn't working label Apr 29, 2024
@RogerZhongAWS
Copy link
Contributor

Hello, I believe #126 fixed this issue and added a -latest suffix to all latest image tags. Can you try doing docker pull public.ecr.aws/aws-iot-securetunneling-localproxy/ubuntu-bin:arm64-latest and rerunning your command with this new image?

@awwithro
Copy link
Author

awwithro commented May 1, 2024

I'm seeing the same behavior with the latest tag as well

Status: Downloaded newer image for public.ecr.aws/aws-iot-securetunneling-localproxy/ubuntu-bin:arm64-latest
[2024-05-01 21:44:47.710640] (0x0000ffffa8fb7fc0) [warning] Found access token supplied via CLI arg. Consider using environment variable AWSIOT_TUNNEL_ACCESS_TOKEN instead
[2024-05-01 21:44:47.710813] (0x0000ffffa8fb7fc0) [info] Starting proxy in source mode
[2024-05-01 21:44:47.712944] (0x0000ffffa8fb7fc0) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-05-01 21:44:47.883177] (0x0000ffffa8fb7fc0) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)

@RogerZhongAWS
Copy link
Contributor

There may be minute differences between the Ubuntu images depending on the arch, which may not end up giving openssl enough context about which cert stores to use for verifying server certificates. Can you try appending -c /etc/ssl/certs to the localproxy run command to see if that works?

@awwithro
Copy link
Author

awwithro commented May 8, 2024

adding -c /etc/ssl/certs does get this working

@RogerZhongAWS
Copy link
Contributor

closing this issue, feel free to reopen if you have any other inquiries.

@awwithro
Copy link
Author

Wouldn't it make sense to update the container so the default args work?

@RogerZhongAWS RogerZhongAWS mentioned this issue Jun 8, 2024
Closed
@utezduyar
Copy link

I stumbled on this and got lucky with @awwithro 's answer. Something maybe is still not updated. Wouldn't it be a bad idea to update the documentation?

@ig15
Copy link
Contributor

ig15 commented Dec 3, 2024

Hi @utezduyar . Thanks for pointing this out. We'll update this to the README documentation as well.

@utezduyar
Copy link

I also found out about this flag: --destination-client-type V1 that is needed to make the current aws console work. Maybe consider adding it too to the documentation.

@ig15
Copy link
Contributor

ig15 commented Dec 4, 2024

@utezduyar That is already present in the documentation at appropriate places, but feel free to let us know if you want it to be highlighted at some other place as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@utezduyar @awwithro @ig15 @RogerZhongAWS